The app is made by China-based TCL Communication Technology Holdings Ltd, which also manufactures the BlackBerry and Alcatel smartphones under licence.

Data harvesting

The app is popular, having been downloaded more than 10 million times.

Upstream Systems said it begun its investigation after “an unusually high number of fraudulent transaction attempts in Brazil and Malaysia” from Alcatel devices.

Digging deeper, Upstream Systems alleged that it had “ identified that a pre-installed Weather forecast application, siphons a lot of data and attempts the fraudulent transactions.”

“It collects and transmits geographic locations, email addresses, IMEIs to a server in China and has a number of privacy invasive permissions on the device,” stated Upstream Systems.

“Had it not been blocked it would have succeeded to subscribe users on Alcatel phones in countries like Brazil, Malaysia and Nigeria to paid services for which users would have been billed more than $1.5 million,” the security firm added.

The Upstream Systems researchers placed an Alcatel hadnset in a sandbox and “the com.tct.weather Android application immediately initiated calls to servers that are not related to the application’s main function.”

The app also then in the background began accessing web pages with digital ads, and then began clicking the buttons on those pages, committing click fraud, said Upstream.

Advertising click fraud is where a malicious app or process bombards websites with false traffic to earn advertising revenue.

“Tens of millions of Android Smartphone users across the globe are being affected similarly when downloading TCL’s Weather-Simple weather forecast from Google’s official Play Store,” wrote Upstream. “Overall, whether pre-installed on Alcatel devices or downloaded from Google’s official Play Store, the application com.tct.weather has generated over 27m fraudulent transaction attempts across 7 markets.”

The firm identified over several hundred phones from the likes ZTE, MediaTek, Archos and Blaupunkt, among others as being shipped with the Cosiloon adware, which is reportedly very difficult to remove.